CVE-2018-25131
Stored XSS in Leica Geosystems GNSS Configuration Upload
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leica_geosystems | gr30 | 4.30.063 |
| leica_geosystems | gr10 | 4.30.063 |
| leica_geosystems | gr50 | 4.30.063 |
| leica_geosystems | gr25 | 4.30.063 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in Leica Geosystems GR10/GR25/GR30/GR50 GNSS software version 4.30.063 and earlier. It occurs because the software allows unrestricted upload of configuration files, including malicious HTML or JavaScript files. These malicious files are stored on the device and, when accessed, execute arbitrary JavaScript in the user's browser session, potentially compromising the user's interaction with the device's web interface. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a user's browser session when they access the affected device's web interface. This can lead to theft of sensitive information such as cookies, session tokens, or other data accessible via the browser, potentially enabling further attacks like session hijacking or unauthorized actions on the device. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript files uploaded to the device, specifically in the /settings/poc.html path. Detection involves monitoring HTTP POST requests to the /upload_config/ endpoint for suspicious multipart/form-data uploads containing HTML or JavaScript code. A practical approach is to capture and analyze network traffic for such POST requests. For example, using curl to simulate or detect uploads: curl -v -F '[email protected]' http://<device-ip>/upload_config/ or using network monitoring tools to inspect traffic to /upload_config/. Additionally, inspecting the /settings/poc.html file on the device for unexpected content can help identify exploitation. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the configuration file upload functionality to prevent uploading malicious files. Ensure that only trusted users have access to the upload feature. Monitor and remove any suspicious files found in the /settings/poc.html path. Applying firmware updates or patches from Leica Geosystems, if available, is recommended. If no patch is available, consider isolating the device from untrusted networks to reduce exposure. [2, 3]